Create a sensitive information type policy for your organization using Microsoft Purview Message Encryption

You can use either Exchange mail flow rules or Microsoft Purview Data Loss Prevention (DLP) to create a sensitive information type policy with Microsoft Purview Message Encryption. To create an Exchange mail flow rule, you can use either the Exchange admin center (EAC) or Exchange PowerShell.


If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

To create the policy by using mail flow rules in the EAC

Sign in to the Exchange admin center and go to Mail flow > Rules. On the Rules page, create a rule that applies Message Encryption. You can create a rule based on conditions such as the presence of certain keywords or sensitive information types in the message or attachment.

To create the policy by using mail flow rules in Exchange PowerShell

Use a work or school account that has global administrator permissions in your organization, connect to Exchange Online PowerShell. For instructions, see Connect to Exchange Online PowerShell. Use the Set-IRMConfiguration and New-TransportRule cmdlets to create the policy.

Example mail flow rule created with Exchange PowerShell

Run the following commands in PowerShell to create an Exchange mail flow rule that automatically encrypts emails sent outside your organization with the encrypt-only option if the emails or their attachments contain the following sensitive information types:

  • ABA routing number
  • Credit card number
  • Drug Enforcement Agency (DEA) number
  • U.S. or U.K. passport number
  • U.S. bank account number
  • U.S. Individual Taxpayer Identification Number (ITIN)
  • U.S. Social Security Number (SSN)
Set-IRMConfiguration -DecryptAttachmentForEncryptOnly $true
New-TransportRule -Name "Encrypt outbound sensitive emails (out of box rule)" -SentToScope  NotInOrganization  -ApplyRightsProtectionTemplate "Encrypt" -MessageContainsDataClassifications @(@{Name="ABA Routing Number"; minCount="1"},@{Name="Credit Card Number"; minCount="1"},@{Name="Drug Enforcement Agency (DEA) Number"; minCount="1"},@{Name="U.S. / U.K. Passport Number"; minCount="1"},@{Name="U.S. Bank Account Number"; minCount="1"},@{Name="U.S. Individual Taxpayer Identification Number (ITIN)"; minCount="1"},@{Name="U.S. Social Security Number (SSN)"; minCount="1"}) -SenderNotificationType "NotifyOnly"

For more information, see Set-IRMConfiguration and New-TransportRule.

How recipients access attachments

After Microsoft encrypts a message, recipients have unrestricted access to attachments when they access and open their encrypted email.

To prepare for this change

You may want to update any applicable end-user documentation and training materials to prepare people in your organization for this change. Share these message encryption resources with your users as appropriate:

View these changes in the audit log

Microsoft 365 audits this activity and makes it available to administrators. The operation is 'New-TransportRule' and a snippet of a sample audit entry from the Audit Log Search in the compliance portal follows:

*{"CreationTime":"2018-11-28T23:35:01","Id":"a1b2c3d4-daa0-4c4f-a019-03a1234a1b0c","Operation":"New-TransportRule","OrganizationId":"123456-221d-12345 ","RecordType":1,"ResultStatus":"True","UserKey":"Microsoft Operator","UserType":3,"Version":1,"Workload":"Exchange","ClientIP":"123.456.147.68:17584","ObjectId":"","UserId":"Microsoft Operator","ExternalAccess":true,"OrganizationName":"","OriginatingServer":"CY4PR13MBXXXX (15.20.1382.008)","Parameters": {"Name":"Organization","Value":"123456-221d-12346"{"Name":"ApplyRightsProtectionTemplate","Value":"Encrypt"},{"Name":"Name","Value":"Encrypt outbound sensitive emails (out of box rule)"},{"Name":"MessageContainsDataClassifications"...etc.*

To disable or customize the sensitive information types policy

Once you've created the Exchange mail flow rule, you can disable or edit the rule by going to Mail flow > Rules in the Exchange admin center and disabling the rule "Encrypt outbound sensitive emails (out of box rule)".